CVE-2025-11855 is a vulnerability classified under CWE-269 (Improper Privilege Management) affecting the WordPress age-restriction plugin through version 3.0.2. The core issue lies in the age_restrictionRemoteSupportRequest function, which lacks proper authorization checks. This allows any authenticated user, including those with minimal privileges such as subscribers, to invoke this function and create a new administrative user account with a hardcoded username and a password of their choosing. The exploit does not require user interaction beyond authentication and can be executed remotely over the network. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with attack vector network (AV:N), attack complexity high (AC:H), privileges required low (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This flaw effectively enables privilege escalation from low-level user to full admin, compromising the entire WordPress installation and potentially the underlying server. No patches or exploit code are currently publicly available, but the vulnerability is published and recognized by WPScan. The affected versions are all versions up to 3.0.2, with no indication that later versions have fixed the issue yet. The vulnerability is particularly dangerous because WordPress is widely used across many European organizations for websites and e-commerce platforms, and the age-restriction plugin is commonly deployed to comply with legal age requirements for content or sales. Attackers exploiting this vulnerability could gain persistent administrative access, deface websites, steal sensitive data, or use the compromised site as a foothold for further attacks within the network.

For European organizations, the impact of CVE-2025-11855 can be severe. The ability for low-privileged authenticated users to escalate to admin privileges threatens the confidentiality, integrity, and availability of WordPress sites. This can lead to unauthorized data access, including customer information and business-critical content, defacement of public-facing websites damaging reputation, and disruption of services. Organizations in regulated sectors such as finance, healthcare, and e-commerce face compliance risks if personal data is exposed. Additionally, compromised WordPress sites can be leveraged as entry points for lateral movement into internal networks, increasing the risk of broader cyberattacks. Given the widespread use of WordPress in Europe, especially in countries with large digital economies, this vulnerability could affect a significant number of organizations, particularly those using the age-restriction plugin for legal compliance. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score underscores the urgency of addressing the vulnerability.

1. Immediately audit WordPress installations to identify the presence and version of the age-restriction plugin. 2. Monitor official plugin repositories and vendor announcements for patches addressing CVE-2025-11855 and apply updates promptly once available. 3. Until a patch is released, restrict access to the vulnerable function by implementing custom code or web application firewall (WAF) rules that block calls to age_restrictionRemoteSupportRequest from low-privileged users. 4. Enforce strict user role management policies to limit the number of authenticated users with subscriber or other low-level roles, reducing the attack surface. 5. Conduct regular security reviews and penetration tests focusing on privilege escalation vectors within WordPress environments. 6. Implement multi-factor authentication (MFA) for all authenticated users to reduce the risk of compromised credentials being used to exploit this vulnerability. 7. Maintain comprehensive logging and monitoring to detect suspicious account creations or privilege escalations promptly. 8. Educate site administrators on the risks and signs of exploitation related to this vulnerability.